Fixing Core Group Policy problems

This topic uses a structured approach and flowcharts to troubleshoot Group Policy core functionality. In Windows XP and Windows Server 2003, you can use Resultant Set of Policy (RSoP) to track the final set of processed policy settings. GPMC provides an easy view into the RSoP data through its Group Policy Results tool. This topic is based on the use of Group Policy Results reports to view and analyze RSoP data. It is recommended that you read through this topic before moving to one of the subsections listed below.

Flowchart for Troubleshooting Group Policy Core Functionality

Use the flowcharts in this topic to quickly identify the likely root causes for unexpected Group Policy behavior, based on three questions that are easily answered from the Group Policy Results report.

Navigating the Troubleshooting Flowchart

The troubleshooting flowcharts in this topic focus on core Group Policy processing. Their primary purpose is to help you validate that the underlying infrastructure is in place to support delivery of GPOs to the client, that the user and computer are appropriately targeted to receive the intended GPOs, and that Group Policy processing puts the correct GPOs into effect.

A Group Policy Results report is the primary resource for troubleshooting Group Policy using this flowchart. Specifically, when investigating a problem, the administrator — where possible — should generate a Group Policy Results report for the user and computer combination encountering the problem. The sections of the report contain the information you use to navigate through the flowchart.

To generate a Group Policy Results report

Open the Group Policy Management Console.

In the console tree, double-click the forest in which you want to create a Group Policy Results query, right-click Group Policy Results, and then click Group Policy Results Wizard.

In the Group Policy Results Wizard, click Next and enter the appropriate information.

After completing the wizard, click Finish.

If you want to print or save the report, right-click the settings report in the results pane, and then do one of the following:

Select Print to print the report.

Select Save Report to save the report.

An example of a Group Policy Results report is shown in Figure 2.

This example shows the Summary tab of the report with the Group Policy Objects sections under Computer Configuration Summary and User Configuration Summary expanded.

By examining the GPMC Results report, you can find answers to the following questions that are associated with the flowchart:

Was the GPO applied to the client? The Summary tab shows this information.

Is the policy setting listed in GPMC Results? The Settings tab shows this information in a way that reflects the user interface of the Group Policy Object Editor.

Is the GPO listed as Denied in GPO Results? The Summary tab shows this information.

In this scenario the client has successfully received the GPO and the specific policy setting is in effect at the client. This means that the only problem is that the actual value of the policy setting is incorrect. For information about the individual settings that have been applied, see the Settings tab of the Group Policy Results report.

GPO Applied, Policy Setting Listed in Group Policy Results Report

The scenario used for "Navigating the Troubleshooting Flowchart" applies to this section.

GPO Inheritance (Setting Listed)

Although GPOs have been applied and the correct policy setting is listed, Group Policy inheritance might result in an unexpected GPO “winning” and providing a different value from the one expected. The settings are nested by source and type. To expose the settings, click Show on the nested rows, and then look at the Winning GPO column to discover which GPO defines the value for the policy setting. For more information, see GPO provides unexpected value.

Replication (Setting Listed)

After a change is made to either the GPO or the user or computer, that change must be replicated throughout the network. If you expected the winning GPO to supply a value for the setting other than the value that was actually applied, it might be that the GPO was changed recently and the change has not yet been replicated to the domain controller that supplied the GPO to the client. For more information, see Group Policy does not replicate.

Group Policy Refresh (Setting Listed)

If Group Policy Refresh has not occurred since the winning GPO was modified and replicated, the old value for the setting is applied. After the changes to a GPO have been replicated to the client’s domain controller, they need to be transmitted to the client. This occurs when the client refreshes Group Policy. Until this has occurred the change will not be reflected at the client. You can either wait for a background refresh or force the refresh. For more information, see Group Policy does not refresh.

Asynchronous Application of Group Policy (Setting Listed)

Group Policy can be applied after the computer has started and the user has logged on. This is called asynchronous application of Group Policy, in contrast to synchronous processing that occurs as part of startup or logon.

If the problem is with a setting that can only be applied during startup or logon, it might have been detected during asynchronous Group Policy processing (for example, as part of a Group Policy refresh or during the asynchronous processing used for logon optimization in Windows XP).

Client-Side Extension Issue (Setting Listed)

After the core Group Policy engine has completed initial processing of the GPOs, it passes specific settings to CSEs to process. If the setting is listed but the value is wrong or the behavior on the client does not reflect the setting value, the failure might have occurred after this setting was passed to a CSE to process. For example, even if a Folder Redirection setting has been successfully passed to the Folder Redirection CSE, the CSE might not be able to complete processing for the setting. For more information, see the appropriate topic for the CSE. For example, for more information about Administrative Templates, see Fixing Administrative Template policy setting problems).

Loopback Processing (Setting Listed)

Loopback processing is a way to enforce a set of user settings at a computer regardless of who logs on at that computer. Typically, user settings are applied based on the site and OU membership of the user. If loopback processing is set for a computer, the user settings for anyone logged on to that computer are dependent (partially or fully) on the site and OU membership of the computer. The behavior depends on the mode of loopback processing. In Replace mode, only the user settings defined in GPOs applied to the computer are used. In Merge mode, user settings from GPOs that would normally apply to the user are used provided they do not conflict with user settings in GPOs that apply to the computer.

Loopback processing only works if the computer and user are both in Windows 2000 or Windows Server 2003 domains. They can be in different domains, and one can be in a Windows 2000 domain while the other is in a Windows Server 2003 domain. You cannot deploy Group Policy to users in a Windows NT 4.0 domain by applying loopback to a computer in a Windows 2000 or Windows Server 2003 domain.

Security filters can affect the way loopback processing is applied. Even when the GPOs associated with the computer are used to define user settings, the user’s credentials — not the computer’s credentials — are validated against the GPO’s security filter. Therefore the user’s credentials determine whether the GPO should be applied.

For example, you could create a GPO with a security filter that restricts the GPO to system administrators, and then associate that GPO with a computer that is configured for loopback processing. The settings in that GPO would only be applied when a system administrator is logged on.

To determine whether loopback processing is in effect, look for the User Group Policy loopback processing mode setting on the Settings tab of the report, which appears under Computer Configuration\Administrative Templates\System\Group Policy. For more information, see Loopback processing does not work.

GPO Applied, Policy Setting Not Listed in Group Policy Results Report

In the Group Policy Results report, the structure of the Settings tab is similar to the structure used in the Group Policy Object Editor. Expand the sections on the Settings tab by clicking Show. If the expected policy setting does not appear at all, either no updated GPO containing the expected setting reached the client, or the setting might not be processed at the client.

Replication (Setting Not Listed)

After a setting is added to a GPO, that change must be replicated throughout the network. If the setting is specified in the GPO but is not listed in the Group Policy Results report on the client, it might be that the setting was recently added to the GPO, but the change has not yet been replicated to the domain controller that supplied the GPO to the client. For more information, see Group Policy does not replicate.

Group Policy Refresh (Setting Not Listed)

If Group Policy Refresh has not occurred since the winning GPO was modified and replicated, a newly added setting will not be applied. After the changes to the GPO have been replicated to the client’s domain controller, they need to be transmitted to the client. This occurs during Group Policy refresh. You can either wait for a background refresh or force the refresh by running gpupdate, by logging off and logging on again (that is, for user configuration), or by restarting the computer (that is, for computer configuration). For more information, see Group Policy does not refresh.

Lack of Operating System Support (Setting Not Listed)

Some policy settings are supported on certain operating systems only or they require a minimum service pack to be applied. When a GPO delivers a policy setting to a client computer that does not support that setting, the operating system ignores the setting. For more information, see Policy setting is not supported.

Slow Link (Setting Not Listed)

Some policy settings do not apply over a slow link, which is defined by default as 500 kilobits-per-second. These settings include:

GPO Not Applied, Listed in Denied List in Group Policy Results Report

If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons. To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.

Security Filtering (GPO Denied)

The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.

Disabled Link (GPO Denied)

There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.

Inaccessible GPO (GPO Denied)

There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:

The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.

The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).

Network connectivity problems might prevent access to the GPO.

The client is unable to contact any domain controller.

Empty GPO (GPO Denied)

A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.

WMI Filter (GPO Denied)

A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.

GPO Not Applied, Not Listed in Denied List in Group Policy Results Report

All the GPOs that reach the client appear on the Summary tab in either the Group Policy Objects Applied section or the Group Policy Objects Denied section. There are four lists altogether: two lists (that is, Applied GPOs and Denied GPOs) under Computer Configuration Summary for settings that are delivered from the computer’s Active Directory hierarchy, and another two under User Configuration Summary for settings that are delivered from the user’s Active Directory hierarchy. If the GPO is not listed as either Applied or Denied under either Configuration Summary, it did not reach the client.

Also note whether the GPO is listed in the expected Configuration Summary (Computers or Users) because this can affect which settings are actually applied, particularly if loopback processing is in effect.

Scope of Management (GPO Not at Client)

One of the most common causes of a GPO not being applied to a user or computer is that the GPO is not linked to a site, domain, or OU of which the computer or user is a member. GPOs are delivered to clients based on the site and OU memberships of the computer and the logged-on user. Group memberships are only used to further restrict application of the GPO. For more information, see GPO provides unexpected value.

Replication (GPO Not at Client)

After an administrator has linked a GPO to a site, domain, or OU in the hierarchy of the user or computer, the change must be replicated to the domain controller from which the client retrieved its GPOs. Also, if the user or computer has recently been added to an OU, the GPOs that apply to that OU might not be applied to the client until the change in OU membership has been replicated to the domain controller from which the client retrieves GPOs. For more information, see Group Policy does not replicate.

Group Policy Refresh (GPO Not at Client)

After an administrator has linked a GPO to a site, domain, or OU in the hierarchy of the user or computer, and the change has been replicated to the client’s domain controller, the GPO still needs to reach the client. This occurs during Group Policy refresh. You can either wait for a background refresh or force the refresh.

Network Connectivity (GPO Not at Client)

Group Policy requires a reliable networking infrastructure to ensure appropriate communication between the client computer and a domain controller. This includes TCP/IP, DNS, and other dependent technologies. For more information, see Group Policy does not refresh.